Re: [Assp-test] fixes in assp 2.4.6 build 15312

2015-11-09 Thread Grayhat 
:: On Mon, 9 Nov 2015 12:36:00 +0100
:: <20151109123600.3...@gmx.net>
:: Grayhat  wrote:


> No, ok, seriously, sounds like Thomas fixed it with #15313; as for the
> feature, the idea is to attempt protecting the mail system from bots
> attempting to abuse stolen credentials to pump out spam; ASSP already
> has a rate limiter which helps detecting "mass mailing", slowing them
> down and alerting the admin but, till now, ASSP had no way to deal
> with a flock of bots with a bunch of different IPs authenticating
> using some stolen credentials and sending (say) 1 or 2 messages each;
> both issues can now be taken care of using the new feature :)

hmmm... maybe I'm wrong, but after a quick eyeball at the code it
sounds like the "$AUTHUserIPfrequency" only works with *FAILED* auth
attempts while, to be effective it should work with *successful* ones
so that, if a given user account gets successful authentication from a
number of different IPs in less than a given time T, then we could
assume that the account got compromised and is being abused by bots,
but the above makes sense only if the check is performed on *valid*
auth not on errors



--
Presto, an open source distributed SQL query engine for big data, initially
developed by Facebook, enables you to easily query your data on Hadoop in a 
more interactive manner. Teradata is also now providing full enterprise
support for Presto. Download a free open source copy now.
http://pubads.g.doubleclick.net/gampad/clk?id=250295911=/4140
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] fixes in assp 2.4.6 build 15312

2015-11-09 Thread Thomas Eckardt 
>sounds like the "$AUTHUserIPfrequency" only works with *FAILED* auth
attempts

No - the frequency is checked after the user name is known.

Thomas




Von:Grayhat <gray...@gmx.net>
An: assp-test@lists.sourceforge.net
Datum:  09.11.2015 16:57
Betreff:        Re: [Assp-test] fixes in assp 2.4.6 build 15312



:: On Mon, 9 Nov 2015 12:36:00 +0100
:: <20151109123600.3...@gmx.net>
:: Grayhat <gray...@gmx.net> wrote:


> No, ok, seriously, sounds like Thomas fixed it with #15313; as for the
> feature, the idea is to attempt protecting the mail system from bots
> attempting to abuse stolen credentials to pump out spam; ASSP already
> has a rate limiter which helps detecting "mass mailing", slowing them
> down and alerting the admin but, till now, ASSP had no way to deal
> with a flock of bots with a bunch of different IPs authenticating
> using some stolen credentials and sending (say) 1 or 2 messages each;
> both issues can now be taken care of using the new feature :)

hmmm... maybe I'm wrong, but after a quick eyeball at the code it
sounds like the "$AUTHUserIPfrequency" only works with *FAILED* auth
attempts while, to be effective it should work with *successful* ones
so that, if a given user account gets successful authentication from a
number of different IPs in less than a given time T, then we could
assume that the account got compromised and is being abused by bots,
but the above makes sense only if the check is performed on *valid*
auth not on errors



--
Presto, an open source distributed SQL query engine for big data, 
initially
developed by Facebook, enables you to easily query your data on Hadoop in 
a 
more interactive manner. Teradata is also now providing full enterprise
support for Presto. Download a free open source copy now.
http://pubads.g.doubleclick.net/gampad/clk?id=250295911=/4140
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test






DISCLAIMER:
***
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
***

--
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] fixes in assp 2.4.6 build 15312

2015-11-09 Thread Grayhat 
:: On Sun, 8 Nov 2015 12:09:34 -0500
:: 
:: Scott MacLean  wrote:

> This sounds like a great feature, but as soon as I turned it on (I
> used 3 600), EVERY user attempting to send email, even those
> connecting for the first time (including myself) were blocked with a
> 4.7.1, and subsequent attempts got them added to PBBlack as well. I
> had to turn it off and clean out recent entries to PBBlack to get
> things back on track.

well, at least it works, doesn't it :D ?

No, ok, seriously, sounds like Thomas fixed it with #15313; as for the
feature, the idea is to attempt protecting the mail system from bots
attempting to abuse stolen credentials to pump out spam; ASSP already
has a rate limiter which helps detecting "mass mailing", slowing them
down and alerting the admin but, till now, ASSP had no way to deal with
a flock of bots with a bunch of different IPs authenticating using some
stolen credentials and sending (say) 1 or 2 messages each; both issues
can now be taken care of using the new feature :)


--
Presto, an open source distributed SQL query engine for big data, initially
developed by Facebook, enables you to easily query your data on Hadoop in a 
more interactive manner. Teradata is also now providing full enterprise
support for Presto. Download a free open source copy now.
http://pubads.g.doubleclick.net/gampad/clk?id=250295911=/4140
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] fixes in assp 2.4.6 build 15312

2015-11-09 Thread Grayhat 
:: On Mon, 9 Nov 2015 12:36:00 +0100
:: <20151109123600.3...@gmx.net>
:: Grayhat  wrote:

> No, ok, seriously, sounds like Thomas fixed it with #15313; as for the
> feature, the idea is to attempt protecting the mail system from bots
> attempting to abuse stolen credentials to pump out spam; ASSP already
> has a rate limiter which helps detecting "mass mailing", slowing them
> down and alerting the admin but, till now, ASSP had no way to deal
> with a flock of bots with a bunch of different IPs authenticating
> using some stolen credentials and sending (say) 1 or 2 messages each;
> both issues can now be taken care of using the new feature :)

forgot, as for the notify, one may want to add the following to the
"NotifyRe"

warning: too many recipients
too many authentication attempts

to get notifications for both the rate limiter *and* the new auth IP
checker, this could allow mail admins to be quickly alerted about
possible outbound spamruns and/or compromised accounts


--
Presto, an open source distributed SQL query engine for big data, initially
developed by Facebook, enables you to easily query your data on Hadoop in a 
more interactive manner. Teradata is also now providing full enterprise
support for Presto. Download a free open source copy now.
http://pubads.g.doubleclick.net/gampad/clk?id=250295911=/4140
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] fixes in assp 2.4.6 build 15312

2015-11-08 Thread Scott MacLean 
On 11/8/2015 3:06 AM, Thomas Eckardt wrote:
> added:
>
> 'AUTHUserIPfrequency','Max IP Changes for AUTHentication per User'
>  If the authentication methodes PLAIN or LOGIN are used by clients, two 
> space separated values specify the 
>  number of different IP's and a timeframe in seconds, which should not be 
> exeeded by a user.
>  For example "2 600" - notice these are the minimum values for IP-number 
> and seconds.
>  The example disallows a user to authenticate (using PLAIN or LOGIN) from 
> two or more different IP-addresses within 
>  600 seconds. In other words - an user is allowed to authenticate from 
> another IP-address, 601 seconds after 
>  the last authentication.
>  Each attempt to authenticate is counted by this feature.
>  MaxAUTHErrors is counted, if a user breakes this rule.
>  Leave this blank to disable this feature.

This sounds like a great feature, but as soon as I turned it on (I used
3 600), EVERY user attempting to send email, even those connecting for
the first time (including myself) were blocked with a 4.7.1, and
subsequent attempts got them added to PBBlack as well. I had to turn it
off and clean out recent entries to PBBlack to get things back on track.

Here's what I got the very first time I tried to send an email after I
turned the feature on, when DB-AUTHIP was still empty:

Nov-08-15 11:48:29 [Worker_1] Worker_1 wakes up
Nov-08-15 11:48:29 [Worker_1] Info: Worker_1 got connection from MainThread
Nov-08-15 11:48:29 [Main_Thread] Info: Main_Thread freed by idle
Worker_1 in 0.083 seconds - got (ok)
Nov-08-15 11:48:29 [Worker_1] Info: try to connect to server at
127.0.0.1:1027
Nov-08-15 11:48:29 [Worker_1] Info: connected to server at 127.0.0.1:1027
Nov-08-15 11:48:29 [Worker_1] Connected: session:F91E41C {my IP
address}:58712 > 216.227.137.26:465 > 127.0.0.1:61433 > 127.0.0.1:1027 ,
24-36
Nov-08-15 11:48:29 [Main_Thread] IP 127.0.0.1 matches
allowStatConnectionsFrom - with 127.0.0.1/32
Nov-08-15 11:48:29 [Worker_1] [SSL-in] {my IP address} info:
authentication - plain is used
Nov-08-15 11:48:29 [Worker_1] [SSL-in] {my IP address} [SMTP Error] 521
mail.netbound.com does not accept mail - closing transmission - you are
not alloed to authenticate from IP {my IP address}
Nov-08-15 11:48:29 [Worker_1] [SSL-in] [AUTHUserIP] {my IP address} too
many authentication attempts for user 'myusern...@hollsco.com' from
different IP's
Nov-08-15 11:48:29 [Worker_1] [SSL-in] {my IP address} Message-Score:
added 60 (autValencePB) for AUTHErrors, total score for this message is
now 60
Nov-08-15 11:48:29 [Worker_1] [SSL-in] {my IP address} info: PB-IP-Score
for '{my IP address}' is 60, added 60 in this session
Nov-08-15 11:48:29 [Worker_1] Disconnected: session:F91E41C {my IP
address} - command list was 'EHLO,AUTH' - used 2 SocketCalls -
processing time 0 seconds
Nov-08-15 11:48:29 [Worker_1] Worker_1 will sleep now



--
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] fixes in assp 2.4.6 build 15312

2015-11-08 Thread Thomas Eckardt 
I'm sorry, there is a typo in the code - used '>' instead of '<'.

Thomas





Von:Scott MacLean <a...@hollsco.com>
An: assp-test@lists.sourceforge.net
Datum:  08.11.2015 18:10
Betreff:    Re: [Assp-test] fixes in assp 2.4.6 build 15312



On 11/8/2015 3:06 AM, Thomas Eckardt wrote:
> added:
>
> 'AUTHUserIPfrequency','Max IP Changes for AUTHentication per User'
>  If the authentication methodes PLAIN or LOGIN are used by clients, two 
> space separated values specify the 
>  number of different IP's and a timeframe in seconds, which should not 
be 
> exeeded by a user.
>  For example "2 600" - notice these are the minimum values for IP-number 

> and seconds.
>  The example disallows a user to authenticate (using PLAIN or LOGIN) 
from 
> two or more different IP-addresses within 
>  600 seconds. In other words - an user is allowed to authenticate from 
> another IP-address, 601 seconds after 
>  the last authentication.
>  Each attempt to authenticate is counted by this feature.
>  MaxAUTHErrors is counted, if a user breakes this rule.
>  Leave this blank to disable this feature.

This sounds like a great feature, but as soon as I turned it on (I used
3 600), EVERY user attempting to send email, even those connecting for
the first time (including myself) were blocked with a 4.7.1, and
subsequent attempts got them added to PBBlack as well. I had to turn it
off and clean out recent entries to PBBlack to get things back on track.

Here's what I got the very first time I tried to send an email after I
turned the feature on, when DB-AUTHIP was still empty:

Nov-08-15 11:48:29 [Worker_1] Worker_1 wakes up
Nov-08-15 11:48:29 [Worker_1] Info: Worker_1 got connection from 
MainThread
Nov-08-15 11:48:29 [Main_Thread] Info: Main_Thread freed by idle
Worker_1 in 0.083 seconds - got (ok)
Nov-08-15 11:48:29 [Worker_1] Info: try to connect to server at
127.0.0.1:1027
Nov-08-15 11:48:29 [Worker_1] Info: connected to server at 127.0.0.1:1027
Nov-08-15 11:48:29 [Worker_1] Connected: session:F91E41C {my IP
address}:58712 > 216.227.137.26:465 > 127.0.0.1:61433 > 127.0.0.1:1027 ,
24-36
Nov-08-15 11:48:29 [Main_Thread] IP 127.0.0.1 matches
allowStatConnectionsFrom - with 127.0.0.1/32
Nov-08-15 11:48:29 [Worker_1] [SSL-in] {my IP address} info:
authentication - plain is used
Nov-08-15 11:48:29 [Worker_1] [SSL-in] {my IP address} [SMTP Error] 521
mail.netbound.com does not accept mail - closing transmission - you are
not alloed to authenticate from IP {my IP address}
Nov-08-15 11:48:29 [Worker_1] [SSL-in] [AUTHUserIP] {my IP address} too
many authentication attempts for user 'myusern...@hollsco.com' from
different IP's
Nov-08-15 11:48:29 [Worker_1] [SSL-in] {my IP address} Message-Score:
added 60 (autValencePB) for AUTHErrors, total score for this message is
now 60
Nov-08-15 11:48:29 [Worker_1] [SSL-in] {my IP address} info: PB-IP-Score
for '{my IP address}' is 60, added 60 in this session
Nov-08-15 11:48:29 [Worker_1] Disconnected: session:F91E41C {my IP
address} - command list was 'EHLO,AUTH' - used 2 SocketCalls -
processing time 0 seconds
Nov-08-15 11:48:29 [Worker_1] Worker_1 will sleep now



--
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test






DISCLAIMER:
***
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
***

--
Presto, an open source distributed SQL query engine for big data, initially
developed by Facebook, enables you to easily query your data on Hadoop in a 
more interactive manner. Teradata is also now providing full enterprise
support for Presto. Download a free open source copy now.
http://pubads.g.doubleclick.net/gampad/clk?id=250295911=/4140___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] fixes in assp 2.4.6 build 15312

2015-11-08 Thread Thomas Eckardt 
Hi all,

fixed in assp 2.4.6 build 15312:

- if a charcterset conversion setting was changed, the old settings were 
internaly not removed until the next
  (re)start of assp

- disabling the authentication was no longer working in build 15303

- it was possible, that a SSL-connection passed through the transparent 
proxy (proxyConf) lost data or were
  unexpected disconnected, because of a too short socket buffer


changed:

- the RWL handling is improved (better logging, better handling of 
list.dnswl.org results)


added:

'AUTHUserIPfrequency','Max IP Changes for AUTHentication per User'
 If the authentication methodes PLAIN or LOGIN are used by clients, two 
space separated values specify the 
 number of different IP's and a timeframe in seconds, which should not be 
exeeded by a user.
 For example "2 600" - notice these are the minimum values for IP-number 
and seconds.
 The example disallows a user to authenticate (using PLAIN or LOGIN) from 
two or more different IP-addresses within 
 600 seconds. In other words - an user is allowed to authenticate from 
another IP-address, 601 seconds after 
 the last authentication.
 Each attempt to authenticate is counted by this feature.
 MaxAUTHErrors is counted, if a user breakes this rule.
 Leave this blank to disable this feature.


'transparentRecipients','Mails to these Recipients are Handled in 
Transparent-PROXY Mode*'
 Mails to any of these recipients or domains are handled transparent 
immediatly after a possible SRS check, 
 BATV processing, Recipient-Replacement, RFC822 checks, ORCPT check and a 
feature match is found in the currently 
 processed "RCPT TO:" SMTP command (envelope recipient).
 NOTICE: If a connection is moved in to the transparent proxy mode, this 
connection will stay in this mode 
 until "MAIL FROM:" or "RSET" is used or the connection is closed by any 
peer.
 What means "transparent handled" ? ASSP acts like a transparent Proxy. No 
filter actions are taken for the mail. 
 Nothing is analyzed. Nothing is verfied. Nothing is stored. Nothing is 
logged (except reply codes if 
 configured) - only debugging will work.
 You can list specific addresses (u...@mydomain.com), addresses at any 
local domain (user), or entire domains 
 (@mydomain.com).  Wildcards are supported (fribo*@domain.com). (|).
 For example: fr...@thisdomain.com|jhanna|@sillyguys.org or place them in 
a plain ASCII file one address per 
 line - file:files/transparentuser.txt.


Thomas

DISCLAIMER:
***
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
***

--
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test